View All Pages

Analysis Example: The Unreasonable Labor of Security Hygiene

When preparing the lecture on security, I drafted this screed on the work involved to follow security hygiene best practices. It's a bit sloppy. It doesn't really have a coherent thesis, or any substantiation in any research or other experiences. It's mostly a personal account of trying to follow best practices. Because it's kind of ranty, and doesn't draw upon any other resources, I'd give it a 3.2.

The unreasonable labor of security hygiene 

Amy J. Ko

I used to not care about computer security. Back in the 2000's, I couldn't imagine anything less important: I aggressively kept my private information offline out of fear of being outed; I mostly didn't use social media; and online banking was mostly a dream at that point, for early adopters. The idea of spending real time trying to lock down my email, passwords, and other information felt like something for the paranoid, and that was not me.

But as more of my life moved online, and I became more active online, the threats became more real. I started to wonder if my money was safe. I wondered if someone might impersonate me, and at want consequence to my reputation. And as I began to seek more social support for my gender non-conforming thoughts, there was an ever greater risk that someone might out me, and so keeping my identity, query logs, and other private information private began to become more important.

There was just one problem: actually securing my online life seemed to be really, really hard. As I began to do research in the early 2010's about best practices, it become clear that even basic security hygiene is simply unreasonable to expect of anyone online, as necessary as it is. To make my case, let's consider the list of best practices provided in Chapter 8 of Foundations of Information, and what I had to do to achieve all seven.

Do I use a unique password for every account? Well, now I do. It wasn't until I changed my first name that I took the time. It took me over 200 hours to find every account, document it in 1Password, my password manager, and generate a unique password for each account. Along the way, I found many sites that didn't even have ways for me to update my password, or only required an insecure 4 digit pin. And there were some accounts attached to email addresses that I no longer had access to, which made it impossible to secure my password. Cleaning up this mess was also emotionally draining, as I had to stare at my deadname on over 800 web accounts. It got to the point where I started giving friends my insecure passwords so they could update them for me, just to save me time and spare me emotional labor. So yes, I now have a unique password on every account, and it was one of the most challenging tasks to coordinate online that I've ever done.

Do I use a password manager to store your passwords? I do now. I spent a long time evaluating the options -- built-in managers by Apple and Google, third party solutions like LastPass, DashLane, and 1Password -- and found that they each had subtle complexities. Apple would only work on my Apple devices and didn't allow me to provide custom metadata with them, making it less useful for non-password private content. LastPass and Dashlane stored passwords in their private clouds, which scared me. 1Password was the only cross-platform solution that allowed for peer to peer, cloud free encrypted password storage, and also allowed for complex metadata and non-password private information, and so I chose that. But the sheer amount of technical expertise I needed to make that decision, plus the $100+ a year I spend subscribing to its family sharing services, is out of reach of most people online.

Do I use two-factor authentication wherever possible? Yes, I do now. And as much as it has become more common, I find it increasingly difficult to manage. It would be simple enough if there were a single interface for authenticating on my phone. But there's not. For Google, I need to go to YouTube on my phone. For Apple, I have to respond to a dialog prompt that sometimes shows up on my phone, sometimes on other devices. For GitHub, there's a strange 2 digit code for me to enter on the GitHub app. And for npm package publishing, I somehow long ago set up biometric FaceID authentication on the command line? Keeping track all of these constantly evolving methods of authentication is a mess.

Do I verify that links are not phishing attacks? It took me awhile, but yes. I now consistently hover over every link in every email to see whether it is a domain I trust. But it has gotten harder. UW, for example, now replaces all links in emails with "urldefense" links. Presumably it is automatically checking of links are to be trusted and blocking them if not, but now the URLs are so obscured, I can't tell at all whether I trust the link. And so my ability to detect phishing attacks as been taken out of my hands.

Do I always install updates promptly to patch vulnerabilities? I didn't always. After all, it's disruptive: it often means downloading a 1 GB on potentially slow wi-fi, waiting 10-15 minutes for an install and reboot to complete, and in the end, there's usually nothing tangibly better about my phone or laptop. I just lose some time and battery life, and don't really know what was fixed. Of course, now I'm that annoying person telling all of my family members to interrupt their days to do the same.

Do I ensure you visit websites with the HTTPS protocol? This has become much easier; most browsers and sites that support https will automatically redirect to it. But for the longest time, I didn't even realize the consequences of a straight http connection. Once I realized that all of my data is transmitted unecrypted through wifi, routes, and the internet, my mind was blown that no matter how much Google promised to keep my queries private, every single word I typed online could seen by someone sitting in the same room as me with a packet sniffer.

And finally, do I read the privacy policies of applications you use? I wish I could say yes. But I usually only do when I'm preparing to teach a class on privacy, and need a good example. Somehow, all of the difficulties above are nothing when compared to the pain of reading 10,000 words of legalese. I recently wrote a terms of service for a project I'm working on, and it was a fun exercise to try to make the site's promises more legible. But unless I'm writing them, or reading them for work, I can't imagine a worse way to spend my time.

It stuns me that doing all of these things are essential to keeping our privacy online. And that simply not doing one of them is enough to expose us to identity theft, impersonation, and harassment. But I do not blame anyone for not doing them, nor do I blame computer scientists for creating such a complex world. I blame Claude Shannon's entire idea of information as bits, for making it so easy to take things so private and reduce them to something so trivial to copy and share.